Week 34 In Review – 2014

USENIX Security ’14 Technical Sessions – usenix.org
The full Proceedings published by USENIX for the symposium are available for download here. Individual papers can also be downloaded from the presentation page.

WOOT ’14 Workshop Program -usenix.org
The full papers published by USENIX for the workshop are available for download as an archive or individually below.

DEF CON 22 ICS Village -digitalbond.com
Corey Thuen’s first blog post at Digital Bond and he’s going to break The Rule and talks about what happened in Vegas.

Hacktivism & Radical Politics: DEF CON 22 -duosecurity.com
It was cool to see the difference between the more corporate Black Hat crowd versus the unabashedly radical libertarian viewpoints of the DEF CON attendees – both presented valuable data and information in their own particular style.

Resources

New Git Repositories That I’m Following – www.andrewhay.ca
Every now and then Andrew Hay stars a Git repo that looks interesting, has a tool he wants to try later, or is something immediately useful. In reviewing some of his more recent ‘stars’, he thought it might be useful to share them with his readers.

Pcb Deconstruction Techniques – grandideastudio.com
Printed Circuit Boards (PCBs), used within nearly every electronic product in the world, are physical carriers for electronic components and provide conductive pathways between them. Presentations and papers are available here.

BlackHat Talk and Railo Shoutout -breenmachine.blogspot.com
Here are the BlackHat USA 2014 presentation titled “Mobile Device Mismanagement” by Stephen Breen and also a shout out and reference to some work he has done with drone on vulnerabilities and some exploits they have whipped up for the Railo framework.

Passwordscon 2014 Videos -irongeek.com
These are the videos from the Passwordscon 2014 conference. You can watch and download the videos from here.

Q&A: DEF CON At 22 -darkreading.com
Dark Reading executive editor Kelly Jackson Higgins sat down with DEF CON founder Jeff Moss, a.k.a. The Dark Tangent, to get his take on this year’s show, the NSA, and the reality that cyberattacks are inevitable. Here is an excerpt from that interview.

OWASP WebSpa Project – owasp.org
The OWASP WebSpa Project is a Java web knocking tool for sending a single HTTP/S request to your web server in order to authorize the execution of a premeditated Operating System (O/S) command. It provides a cryptographically protected “open sesame” mechanism on the web application layer, comparable to well-known port-knocking techniques.

XSScrapy: fast, thorough XSS vulnerability spider – danmcinerney.org
Unsatisfied with the current crop of XSS-finding tools, Dan McInerney wrote one and he is very pleased with the results. He has tested this script against other spidering tools like ZAP, Burp, XSSer, XSSsniper, and others and it has found more vulnerabilities in every case.

li>Lynis v1.5.9 Released -cisofy.com
Security auditing tool for Linux, Mac and Unix based systems. Scan your systems in a matter of minutes and know what can be improved.

Techniques

Learning Exploitation with FSExploitMe – blog.opensecurityresearch.com
Brad wanted to create something that would help ease the students into the learning environment, and that’s what FSExploitMe is; a tutorial that walks you through the basics of WinDBG and general exploitation in a browser environment.

[useSecurity]true[/useSecurity] to false in config.xml in $JENKINS_HOME or by deleting the config,xml.

Vulnerabilities

Masscan does STARTTLS – blog.erratasec.com
Robert Graham has updated his port-scanner masscan to support STARTTLS, including Heartbleed checks. He suggest you run this on all your outward facing sites on all ports -p0-65535 to find lots of Heartbleed vulnerable services that your normal vulnerability scanner might’ve missed.

RTFM 0day in iOS apps: G+, Gmail, FB Messenger, etc. – algorithm.dk
One night andrew was randomly reading the tel URI scheme RFC as he is fascinated by old relics that are still used today, their flaws and the way people never read the RFC which leads to RTFM pwnage as he call it.

Documentum DQL Injection / ESA-2014-046 – penturalabs.wordpress.com
Pedro Laguna discovered an issue on the EMC Documentum software and internally called it “injeception”. Now that naming your vulnerability is so mainstream he will just call it ESA-2014-046.

Other News

Hospital network hacked, 4.5 million records stolen – money.cnn.com
Community Health Systems, which operates 206 hospitals across the United States, announced on Monday that hackers recently broke into its computers and stole data on 4.5 million patients.

Sponsors

About Us

Infosec Events is dedicated to the growing information security industry. We strive to provide useful information and resources to those in the industry. Don't hesitate to contact us should you need anything.